Latest Android phones hijacked with tidy one-stop-Chrome-pop

Chinese researcher burns exploit for ski trip.

PacSec Google's Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset.

The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo yesterday but not disclosed in full detail, targets the JavaScript v8 engine. It can probably hose all modern and updated Android phones if users visit a malicious website.

It is also notable in that it is a single clean exploit that does not require multiple chained vulnerabilities to work, the researchers say.

Quihoo 360 researcher Guang Gong showcased the exploit which he developed over three months.

PacSec organiser Dragos Ruiu told Vulture South the exploit was demonstrated on a new Google Project Fi Nexus 6.

"The impressive thing about Guang's exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction, " Ruiu says.

Dragos Ruiu (r) and Guang Gong

"As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone."

"The vuln being in recent version of Chrome should work on all Android phones; we were checking his exploit specifically but you could recode it for any Android target since he was hitting the JavaScript engine

A Google security engineer on site received the bug. Ruiu says it is likely that Google will pay a security bug bounty for the vulnerability since the working exploit details were not disclosed.

A second team from Germany also appears to have popped a modern Samsung phone, with a demonstration delayed until today due to a delayed flight.

As a reward Ruiu will fly Gong to the CanSecWest security conference in March next year for a ski trip.

Last year hackers hosed popular phones for shares in $425,000 in cash rewards, but security sponsors Google and Hewlett Packard's Zero Day Initiative pulled out.

Google did not offer detail to questions about its withdrawal, instead pointing Vulture South to its security rewards programs for Android.

HP says it did not sponsor the competition thanks to the complexities of the Wassenaar Arrangement and the US$300 million acquisition of Tipping Point and the Zero Day Initiative by Trend Micro.

"Due to the complexity of obtaining real-time import and export licenses in countries that participate in the Wassenaar Arrangement, the ZDI has notified conference organiser, Dragos Ruiu, that it would not be holding the Pwn2Own contest at PacSecWest," a spokesperson says.

"Additionally, with the recent announcement of the TippingPoint divesture, the ZDI will be under new ownership once the transaction closes."

Apple and Microsoft also failed to return as sponsors.

Ruiu says researchers like Gong would not necessarily put the effort into developing exploits for bug bounties alone, and prefer the fun and bragging rights of security hacking events. ®

Update: Since this story was published, Gong has confirmed to The Register that he believes the vulnerability affects all versions of Android running the latest Chrome. We have asked Google for comment. ®